VMware issued two product updates on Tuesday to patch and present workarounds for two vulnerabilities, one considered critical and the other important.
The critical flaw, designated CVE-2016-3427, corresponds to multiple versions of VMware's vCenter Server, vCloud Director, vSphrere Replication and vRealize Operations Manager products. According to VMware, the “RMI [Remote Method Invocation] server of Oracle JRE [Java Runtime Environment] JMX [Java Management Extensions] deserializes any class [of objects] when deserializing authentication credentials.” Deserialization is the process of converting a stream of bytes of information back into the original object it came from. If exploited, this flaw could allow an authenticated bad actor to cause deserialization flaws and execute malicious commands.
The other issue is a host privilege escalation vulnerability, CVE-2016-2077 affecting Windows versions of VMware Workstation and VMware Player. Because these two programs do not properly reference one of their executables, a local attacker on the host could potentially elevate his privileges.